Hello everyone again, I find myself in the following scenario, I have gained access to a corporate network through VPN, we have access through a host vulnerable to executing commands through webshell and uploading files to a server, this server does not ping outside the network but it can resolve DNS txt queries, normally with Brute Ratel I would make a doh listener and everything would be solved to be able to pivot, but on this occasion (I already verified that the target server could resolve my domain used for the DNS queries) after running the payload no badger appears, doing more tests I realize that the target server uses for DNS resolution:
Server: ADDB.intra.example
Address: 192.x.x.x
.if we tried "nslookup -type=txt dns1.example.com 8.8.8.8" it will give a timeout
but if we tried "nslookup -type=txt dns1.example.com" it will correctly resolve the query using its own addreess 192.x.x.x
I am totally sure that for this specific scenario I am misconfusing the doh listener/payload (which on the rest of the occasions everything has worked perfectly)
I would appreciate if anyone has been in similar situations before losing their mind since I can't find anything on the internet about it or in the software documentation itself.
Server: ADDB.intra.example
Address: 192.x.x.x
.if we tried "nslookup -type=txt dns1.example.com 8.8.8.8" it will give a timeout
but if we tried "nslookup -type=txt dns1.example.com" it will correctly resolve the query using its own addreess 192.x.x.x
I am totally sure that for this specific scenario I am misconfusing the doh listener/payload (which on the rest of the occasions everything has worked perfectly)
I would appreciate if anyone has been in similar situations before losing their mind since I can't find anything on the internet about it or in the software documentation itself.